Five Possible Hacks to Worry About Before Election Day

Federal and state officials are focusing on five possible ways to hack the election. Here is a look at their biggest concerns:

A flood of disclosures

(Possible, but hard to make an impact)

In an election that has already been shaken by a series of disclosures — from messages hacked by the Russians that ended up in the hands of WikiLeaks to a cache of emails on the computer of former Representative Anthony D. Weiner that might be related to the Hillary Clinton email inquiry — it is not hard to imagine a last-minute set of revelations. The question is whether they would make much difference.

Photo

Former Representative Anthony D. Weiner in New York in 2013. The discovery of a cache of emails on his computer that might be connected to the Hillary Clinton email inquiry is one of several disclosures that have rocked the 2016 election.Credit
Richard Drew/Associated Press

So far, the steady drip of documents from WikiLeaks and other sites posting stolen emails and even the National Security Agency’s tools for breaking into foreign computer networks has not changed the contours of the election. Emails that seemed to show efforts in the Democratic National Committee to tip the scales in favor of Mrs. Clinton in the primaries led to the resignation of Representative Debbie Wasserman Schultz as the committee’s chairwoman, but they had little long-lasting effect. A disclosure from the hacking of the email account of John D. Podesta, the Clinton campaign chairman, bolstered the notion that Bill Clinton had been enriched by some of the same people who contributed to the Clinton Global Initiative. But that was not exactly a surprise.

Still, no one knows what else hackers might have stolen, or may be saving for the last frenetic days of the campaign.

Interfering with voter registration rolls

(Lots to worry about)

In the spring, the F.B.I. warned Arizona, and then Illinois, that someone was “probing” their central voter registration databases, the ever-changing lists of people who are legally registered to vote and where they live. Once, those rolls were kept in big books and dragged to polling places, but today they are held in databases, often connected to websites that make it easier to register online or when getting a driver’s license.

The vulnerabilities in big central systems are hard to find, as the federal government learned with the Chinese theft of nearly 22 million security clearance records from the Office of Personnel Management. Chinese hackers were inside the systems for more than a year before the government noticed.

Voter databases are not treated as “critical infrastructure” by the federal government, the way that the Washington Monument or the power grid is. That is largely because few had the foresight to consider that a foreign attacker could tinker just enough to cause chaos on Election Day. “We’ve thought in terms of structures,” Adm. Michael S. Rogers, the director of the National Security Agency, said recently. “Data is taking on a much larger value in and of itself.” But he noted that “it’s the states’ responsibility.”

Yet many states have underinvested in their systems, and that is why there is so much concern. Few states even sample their systems to see if the data is correct, so they might not be able to detect a problem. Starting this summer, the Department of Homeland Security has raced to perform tests in states that asked for help — all but a few have — but the process was rushed, and the government will not say what it found.

The fear is that intruders could make minor changes in addresses or other identifying information, leading to long lines and accusations of “rigging” the polls. Voters could cast provisional ballots, but it could take months to sort out.

_____

Photo

Members of the news media preparing for the presidential debate in Las Vegas last month.Credit
Damon Winter/The New York Times

Manipulating the count reported to news organizations

(A significant risk, but detectable)

Consider this possibility: It is Tuesday evening, and the networks and other news organizations are clamoring for “unofficial” results so they can call the races in swing states. The precincts report returns to regional centers, and that data flows to The Associated Press, the clearinghouse for unverified returns. If hackers could flip such “data in motion,” they could alter the first call, even if it is an unofficial one. If the numbers then swing back in the official tally, cries of foul play — that the numbers got manipulated before the final calculation — would surely follow.

Sound far-fetched? It happened recently in Ukraine, in an attack organized by Russia, experts believe. As Ben Buchanan and Michael Sulmeyer note in a Harvard Cyber Security Project report, investigations revealed that “offenders were trying by means of previously installed software to fake election results.” The effort was discovered 40 minutes before the results were scheduled for announcement. The Harvard report notes that “curiously, pro-Russian TV nonetheless reported the fake results exactly.”

_____

Photo

A cellphone user in Palo Alto, Calif. There are fears of an internet attack that could make it difficult for voters to find directions to polling places on their phones.Credit
Jim Wilson/The New York Times

An internet disruption that makes it hard to get to the polls

(The new big fear)

When internet connections across the East Coast slowed to a crawl on Oct. 21, after a sophisticated attack on a company that serves as a “switchboard” of the web, it illustrated a new fear for Election Day: an attack that comes just as voters are looking at their phones to find their polling place, or trying, for instance, to figure out if the bus will get them there.

That hack was a new twist on an old, crude technique: a “distributed denial of service” attack that overwhelms websites or the internet’s traffic systems with a barrage of data. In the Oct. 21 attack, which is not believed to have been conducted by a foreign power, internet-connected devices like security cameras were infiltrated and programmed en masse to attack Dyn DNS, a firm that helps connect web searches to the right internet sites.

Such an attack could be directed, for example, at computer systems used by a campaign’s “get out the vote” efforts. “People think of denial-of-service attacks as very broad,” said Andy Ellis, the chief security officer at Akamai, a firm that helps companies maintain web connectivity. “But they can be very targeted, very specific, and hard to defend against.”

The Department of Homeland Security is setting up a war room for Tuesday to look for trouble, connected to the F.B.I. and the Justice Department. But they look primarily at the federal government system. And the National Security Agency, presumably, is turning on the “implants” it has placed in foreign systems to detect any attacks. Those implants are all highly classified, so the N.S.A. is silent about what it can see — or what it could do if it saw the prelude to an attack.

Tinkering with voting machines

(Unlikely, but possible)

At every opportunity, federal and state officials are reminding everyone that voting differs from state to state, or even county to county. That makes it hard to hack.

“The voting machines themselves are offline, and we think the system is so diversified it is secure,” said Suzanne E. Spaulding, the under secretary of Homeland Security who oversees cybersecurity efforts.

Outside election experts fear, however, that this nothing-to-see-here confidence fails to take into account known vulnerabilities. While most voting machines are not connected to the internet while voting is underway, they are often connected before Election Day, to update their ballots and software.

Some machines, like the DS200, an optical scanning model used in many districts, comes with an optional wireless ability. The good news: They can report results automatically. The bad news: Any wireless connection is a vulnerability.

There are other worries. Five states do not have paper backups to create an audit trail if the electronic ballots are questioned. Pennsylvania, a swing state, has paper backups in only some communities. Members of the military who are based overseas are often permitted to email their ballots, and Alaskans can use what the state calls “secure online delivery.”

“The D.N.C. hack and the release of the emails are a wake-up call,” said Susannah Goodman, the director of voting integrity for Common Cause. “Emailing is not something you would do with your Social Security number,” she added. “So why would you do it with your ballot?”